[ESHOP launched] Trezor: Bitcoin hardware wallet

[Rath_]

Trezor celebrates the 100th episode of Stephan Livera's podcast. Until the 27th of August, you can get a 10% discount for any Trezor hardware wallet on the official store. Use 'SLP100' promo code.

[examplens]

Hm, today I update the new firmware on my Trezor One, after that, I have a new look of my first screen on them. Now I am not sure is it comes with the new firmware or I have a hardware problem. i did a couple of transactions and everything seems to be fine.

[Rath_]

Hm, today I update the new firmware on my Trezor One, after that, I have a new look of my first screen on them. Now I am not sure is it comes with the new firmware or I have a hardware problem. i did a couple of transactions and everything seems to be fine.

It is a new security feature. The appearance of these randomly generated white pixels mitigates the recently discovered OLED display information leak. Trezor T is not affected since it uses a different type of display. You can learn more about this vulnerability here.

[Coiner.de]

a calculated number of white decoy pixels is added to each row

Not randomly generated.

[OmegaStarScream]

Trezor introduced a new security standard called Shamir backup which is basically a way to split backup seeds. It's not available in the Trezor one so I couldn't try it, but could someone who did give us his thoughts about the subject?

[Rath_]

Trezor introduced a new security standard called Shamir backup which is basically a way to split backup seeds. It's not available in the Trezor one so I couldn't try it, but could someone who did give us his thoughts about the subject?

The whole process was fairly easy thanks to the detailed guide. I set the number of shares to 3 and the threshold to 2. I selected 20 words to keep it simple (typing in 66 words during recovery even on such a display would be tedious). Everything seems to be working fine, but I am going to stick to my current security policy. I recovered my old wallet. Feel free to ask me any questions.

By the way, Bitcoin only firmware has been available for both Trezor One and T since 4th September.

[HCP]

Theoretically... you could implement it with ANY backup seed using the Shamir's secret sharing scheme... refer: http://point-at-infinity.org/ssss/

Obiviously, getting a collection of 20 (or 33) word phrases is a bit more user friendly that a collection of HEX outputs that the SSSS linked above generates, but I would imagine it would be relatively trivial to simply re-encode the generated HEX to a word list using a system similar to BIP39.

The advantage of the Trezor solution is that the SatoshiLabs guys have built it into the Trezor T natively, so the data entry and conversion from recovery to actual seed mnemonic seed etc is secured within the device itself... nice and elegant... and most important, easy to use.

[Rath_]

Trezor prepared a newsletter-exclusive offer for people who sign up for their newsletter. All readers are going to receive it on Wednesday. The subscription link can be found in the tweet below.

Source: https://twitter.com/Trezor/status/1176221067943325697

[Rath_]

The newsletter-exclusive offer turned out to be a 15% discount code off anything in Trezor Shop, valid through 30 September. The code doesn't seem to be unique for each participant. Anyway, I am not going to use it so I can give it to anyone who sends me a private message.

[samuel-sd]

Hi guys!
I had generated a BIP39 seed and set up a software wallet based on it. Everything works fine. I am wondering if I can use the same seed to get access to my wallet with Trezor? Does trezor use regular BIP39 seeds for restoring wallets or it requires a special seed, which has to be generated on a trezor device?

[TryNinja]

Hi guys!
I had generated a BIP39 seed and set up a software wallet based on it. Everything works fine. I am wondering if I can use the same seed to get access to my wallet with Trezor? Does trezor use regular BIP39 seeds for restoring wallets or it requires a special seed, which has to be generated on a trezor device?\

You mean import a wallet you generated on your PC, with a different wallet, into Trezor?

Yes, you can. But I wouldn't do that. The point of a hardware wallet is that it is generated in an isolated device and it's safe from any outsider risk. If you import a seed that was generated outside the device, you can't guarantee the same security.

[samuel-sd]

Hi guys!
I had generated a BIP39 seed and set up a software wallet based on it. Everything works fine. I am wondering if I can use the same seed to get access to my wallet with Trezor? Does trezor use regular BIP39 seeds for restoring wallets or it requires a special seed, which has to be generated on a trezor device?

You mean import a wallet you generated on your PC, with a different wallet, into Trezor?

I mean, can I use an existed BIP39 seed (which was generated by third party software) to get access to a wallet?
Or Trezor is designed to recover wallets only with seeds which were generated by Trezor devices?
By the way, a trezor's native 12-word seed is a BIP39 one?

I am asking because I know that different developers use different algorithms to generate seeds and some devices might not support BIP39 seeds.

If you import a seed that was generated outside the device, you can't guarantee the same security.

Yes, I know that.

[TryNinja]

I mean, can I use an existed BIP39 seed (which was geterated by third party software) to get access to a wallet?
Or Trezor is designed to recover wallets only with seeds which were generated by Trezor devices?
By the way, a trezor's native 12-word seed is a BIP39 one?

I am asking because I know that different developers use different allgorithms to generate seeds and some devices might not support BIP39 seeds.

Like I said, yes. AFAIK, Trezor's seed is also BIP39.

[samuel-sd]

Like I said, yes. AFAIK, Trezor's seed is also BIP39.

Thanks!

[samuel-sd]

Hi everybody!

I recently read that all Trezor models have a hardware vulnerability, which let an attacker extract a seed from a wallet if it's not protected by a long passphrase. It says that the vulnerability cannot be patched by a software update. What is Trezor going to do about it? Are the developers going to fix the hardware for future models or they are going to keep manufacturing the old model with advice to use a long passphrase?

[Rath_]

Are the developers going to fix the hardware for future models or they are going to keep manufacturing the old model with advice to use a long passphrase?

The developers can't fix old models because they would have to change them drastically, including the software. I highly doubt that Trezor is going to release a new model anytime soon (there is still a lot to do for the Trezor T). Also, I don't think that they would suddenly change their security policy. They want to be as much transparent as possible. The attack can't be performed remotely. Passphrases should be used by everyone anyway. Here you can read Trezor's response.

[samuel-sd]

The developers can't fix old models because they would have to change them drastically, including the software. I highly doubt that Trezor is going to release a new model anytime soon (there is still a lot to do for the Trezor T). Also, I don't think that they would suddenly change their security policy. They want to be as much transparent as possible. The attack can't be performed remotely. Passphrases should be used by everyone anyway. Here you can read Trezor's response.

Thanks for the answer.
So, basicaly they admited the proplem but they did not say that they would fix it even in their future devices.

[Rath_]

So, basicaly they admited the proplem but they did say that they would fix it even in their future devices.

This sentence does not make any sense. Did you mean 'wouldn't fix'? Trezor is not the only device affected by this vulnerability. It looks like that every device with a ST microchip is affected so it's not their fault. Actually, they admitted that they had been aware of it since the beginning. I don't know how many alternatives there are. Ledger uses a different chip which provides 'security through obscurity' that might not appeal to many of the Trezor's customers.

[samuel-sd]

So, basicaly they admited the proplem but they did not say that they would fix it even in their future devices.

This sentence does not make any sense. Did you mean 'wouldn't fix'?

My bad, I fixed the original post.

Trezor is not the only device affected by this vulnerability. It looks like that every device with a ST microchip is affected so it's not their fault. Actually, they admitted that they had been aware of it since the beginning.

Too bad, If they knew it, why didn't they choose a different chip?

I don't know how many alternatives there are.

Did any hard wallet manufacturer offer a reward for revealing hardware vulnerabilities against their devices?
That would be cool

Ledger uses a different chip which provides 'security through obscurity'

Has it been hacked as Trezor has?

[Rath_]

Too bad, If they knew it, why didn't they choose a different chip?

There might have not been any alternatives. I am not an expert in this field. Ledger HW.1 also had an STM chip in its smartcard.

Did any hard wallet manufacturer offer a reward for revealing hardware vulnerabilities against their devices?

Yes, both Ledger and Trezor have their responsible disclosures programs. Ledger was supposed not to disclose this vulnerability publicly since it also affects many other devices. No individual has found out about it before them.

Has it been hacked as Trezor has?

There is no comparable hack at the moment for Ledger. Everything has been patched so far.